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Dear SAR guidance consultation team, 
ABI response to the ICO consultation on the draft right of access guidance 


The ABI is the voice of the UK’s world-leading insurance and long-term savings 
industry. 


We welcome the opportunity to provide input into the ICO’s draft right of access 
guidance and provide examples of ABI member firms’ experiences in dealing with 
Subject Access Requests since May 2018. 


Whilst we are supportive of the guidance overall, we wanted to raise some specific 
points in relation to Data Subject Access Requests and insurers’ experiences with 
them. 


We would like to highlight the “significant” increase in Data Subject Access Requests 
to ABI members since May 2018, most notably from Claims Management 
Companies (CMCs), but also from claimant solicitors acting on behalf of data 
subjects. To give an indication of scale, some members have noted that over half of 
Data Subject Access Requests now come from CMCs and one firm noted that, in 
one month alone, they received nearly 200 requests from CMCs. 


Whilst the guidance recognises that “in the financial services sector...it is not 
uncommon for claims management companies to make bulk requests on behalf of 
multiple individuals”, given that such a volume of requests is received via these third 
parties, we would value greater emphasis within the guidance on the regulatory 
requirements on these third parties to fulfil their own data protection obligations and 
the way in which firms should treat requests from CMCs. 


For example: 


e In relation to clear and transparent communications with data subjects, we 
would welcome stronger messaging about the need for CMCs to obtain 
appropriate consent from the data subject for the processing of their 
personal data, and to ensure that the data subject receives clear and 
transparent communications about the way their personal data will be 
processed by the CMC; 

e To assist with the data minimisation principle, we would value more 
emphasis in the guidance on the need for CMCs'’ claims to have a good 
base and for CMCs to investigate the existence and merits of each 
element of a potential claim, as outlined in the FCA Dear CEO letter to 
CMCs in June 2019. 

e Clarification on the extent to which requests from CMCs can be treated as 
requests for information rather than DSARs, and how firms can make a 
clear distinction between the two different types of request would also be 
beneficial. 

e We would also value a clear link in the guidance to CMCs’ regulatory 
requirements under the FCA, and for the guidance to make reference to 
the FCA’s policy statement PS18-23 (Claims Management: how we will 
regulate claims management companies). 


Please don’t hesitate to contact me if you would like any further information. 


Yours faithfully 


NABI 


